Stuxnet heralded the rise of cyber warfare, but the new era has yet to dawn.
NATO missiles exploded on Libyan soil in the spring of 2011, but a supporting cyber offensive was surprisingly absent.
The concept of a cyber attack has been in the public consciousness since at least 2010 when the computer worm Stuxnet dealt a heavy blow to Iranian nuclear facilities. Over the last half-decade, it has become increasingly evident that the wars of tomorrow will be fought in part through computers. What had been unknown is the extent to which military cyber attacks will replace contemporary maneuvers like air strikes. Stuxnet revealed that attacks could be launched through computers rather than missiles.
Stuxnet itself took two years to inseminate target computers in Iran after development. That alone is a sign of how long countries have been researching cyber warfare, but Stuxnet is not the only proof. Other incidents of cyber warfare date at least as far back as 2006 when Israel intelligence estimated Hezbollah was hiring civilian Russian computer experts to operate on its behalf against Israel.
A leader in the field, Israel was itself suspected of launching a cyber attack against Syria in 2007 that ensured aircraft used in a coordinated airstrike were undetected by Syrian radar. Analysts suspected the Israel military had used something similar to America’s own Suter program, which attacks and disrupts enemy communication networks like those used by anti-aircraft missiles. Suter has been in use by the U.S. military in Iraq since 2006.
In 2007, the computer security firm McAfee released a report developed with input from NATO that proposed at least 120 countries were launching “web espionage operations.” McAfee’s David Marcus suspected that cyber warfare would not replace conventional warfare but merely augment it. He predicted also that it would become common for governments to license private hackers to attack foreign countries with “state-sponsored malware.” Marcus’ predictions seemed accurate for 2007, but they fell far short of the developments in cyber warfare that followed.
In 2009, the United States created Cyber Command. It was one of the first government centers that was recognized to exclusively handle cyber warfare and, importantly, both the defensive and offensive aspects of it. In 2010, the U.S. “formally recognized cyberspace as a new domain in warfare […] just as critical to military operations as land, sea, air, and space.” In the same month, the United Kingdom announced plans to establish its own office of cyber attack and defense.
At the end of 2009, South Korea followed suit, announcing plans to create a cyber warfare command that would conduct both defensive and offensive operations—scrapping previous plans to put its cyber unit under the Defense Security Command. In 2010, China likewise announced the creation of its first department dedicated to tackling cyber warfare. In response, Ni Lexiong, a Shanghai-based military analyst, predicted in an interview with the South China Morning Post that “the Internet will become another key battlefield in tomorrow’s world.”
At the start of the new decade, governments the world over had announced plans to take matters of cyber warfare into publicly funded hands. They were no longer following the privatized model predicted by Marcus but were instead “hiring the hackers” directly onto government payroll in order to develop “cyber offensive capabilities,” as predicted by analyst Misha Glenny.
In June of 2010, two years in the waiting, the computer worm Stuxnet disrupted computer systems in Iran’s nuclear facilities. Israel had deemed the compounds unfeasible for airstrikes due to their distance, fortifications, and the United States’ reluctance to back Israel in the conflict. Though the creator of Stuxnet is unknown, that these compounds were the intended target was obvious from its programming. Stuxnet succeeded where missiles could not. The computer worm compromised centrifuges and physically damaged the enriched uranium important to Iranian nuclear research.
Ralph Lagner, a German security consultant who analyzed the Stuxnet code, describes how the computer worm was “generic.” Only a small section of the program was needed to compromise the centrifuges and to override their fail-safes. The majority of the code dealt with covertly duplicating itself across computer systems so that it would eventually make its way onto the closed computer network used at the Iranian research facilities by means of an infected portable drive. Stuxnet had a very specific target, but Lagner describes how conventional worm technology could be used to create a “cyber weapon of mass destruction” that, like Stuxnet, could even strike closed, government networks.
Last fall, malicious software was discovered in computers used by the U.S. military’s remotely piloted aircraft. U.S. officials believe it was an accidental infection by credential-stealing software that is a common threat to household computers. The incident highlights, however, that even the most isolated computer systems are susceptible to the spread of malware. The drone aircraft are flown entirely by remote. If the malware had been designed for the aircraft like Stuxnet was for the Iranian computers, the outcome could have been much worse.
In June of 2011, the U.S. Secretary of Defense, Leon Panetta, was speaking from an American perspective when he said “the next Pearl Harbor we confront could very well be a cyber attack,” but the issue he was referring to is one that concerns governments worldwide. The programming and infrastructure that it took to launch Stuxnet was no surprise to analysts, but that a cyber attack could succeed at destruction where an aircraft would fail was surprising. The world had taken note. The cyber warfare centres that formed in dozens of countries indicate not only that nations are preparing to defend against cyber attacks, but they are prepared to launch them as well.
So why did NATO hold back its cyber capabilities when sending aircraft into Libya last year? A senior U.S. Defense Department official told The New York Times in October that cyber attacks “were seriously considered because they could cripple Libya’s air defense and lower the risk to pilots.” The cyber offensive was rejected, however, because it might not have been ready in time. America’s Suter had long been used in Iraq by this point, but customizing the program to match the specific weaknesses of a new target might not have been successful on the short notice with which the Libyan air operations were launched.
Stuxnet opened the world’s eyes to the capabilities of cyber warfare, but it will still take time before cyber offensives are fully integrated into today’s military operations.